Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims
Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle class action litigation stemming from an October 2023 data incident. An unauthorized third party gained access to employee email accounts between October 2, 2023, and October 3, 2023. While the unauthorized access was detected and remediated promptly, the hackers had access to sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial information, medical information, health insurance information, and digital signatures.
Notification letters were mailed to the affected individuals on December 1, 2023. The Oregon Attorney General was informed that the breach affected 22,796 individuals, and the HHS’ Office for Civil Rights was notified that the protected health information of 19,373 individuals was potentially compromised in the attack.
A class action lawsuit was filed by plaintiff Krysta Hakkila individually and on behalf of similarly situated individuals, which was followed by a second lawsuit filed by plaintiff Ida Vetter. The two lawsuits were consolidated in the Circuit Court of Deschutes County, Oregon – Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC.
The lawsuit claimed that the Neuromusculoskeletal Center of The Cascades failed to implement appropriate security measures and could have prevented the data breach, asserting claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Oregon Unlawful Trade Practices Act. Neuromusculoskeletal Center of The Cascades disagrees with the claims and maintains there was no wrongdoing and is no liability.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendants and the plaintiffs agreed to settle the lawsuit with no admission of wrongdoing or liability to avoid the cost and risks of a trial. The settlement has recently received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for two years of medical data monitoring (CyEx Medical Shield Total), reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $500 per class member, reimbursement for documented lost time dealing with the effects of the data breach (up to four hours at $25 per hour), and reimbursement of losses to identity theft and fraud, up to a maximum of $2,500 per class member. Class members who do not wish to claim any of the above benefits may submit a claim for an alternative one-time cash payment of $80.
The deadline for submitting a claim is December 26, 2025. The final approval hearing has been scheduled for January 9, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 25, 2025.
